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I. BACKGROUND AND QUALIFICATIONS 


1. lama Senior Vice President in the Investigations, Disputes and Risk practice at 
AlixPartners. | have been retained as an expert in the matter of Kleiman v. Wright, Case 
No. 9:18-cv-80176 by Dr. Craig Wright, the defendant in this action (“Dr. Wright” or 
“Defendant’) and have been asked to provide my opinion regarding certain questions. | 
am familiar with the facts in this report, from either personal knowledge or from 
documents that have been provided to me. Insofar as they are within my own knowledge, 
the facts and matters in this report are true to the best of my own knowledge and belief. 
The analysis of the evidence in this matter is ongoing and | reserve the right to change 
the content of this report as new information becomes available. 

2. AlixPartners is a global management advisory firm with over 2000 professionals around 
the world. AlixPartners provides consulting services and has deep expertise in the 
litigation technology, computer forensics, and restructuring and bankruptcy sectors. 

3. [| hold a Bachelor of Science in Computer Science and Computer Engineering from the 
University of Southern California. Prior to joining AlixPartners, | was employed at 
Navigant, a leading consulting firm, in the Disputes and Investigations practice. In my 
professional career | have provided consulting expertise in hundreds of civil and criminal 
matters. My experience includes forensic collection of digital evidence, forensic analysis 
of digital media especially that involving user-specific activity and history, examination of 
encrypted data, and the application of forensic scripting tools. 

4. | have earned Guidance Software’s EnCase Certified Examiner (EnCE) certification and | 
have participated in numerous training seminars related to computer forensics and 


incident response. | am a long-time member of the High Technology Crime Investigation 


2 04/10/2020 





Case 9:18-cv-80176-BB Document S94 76 EDGER On jFLSD Docket 06/01/2020 Page 4 of 18 


Association (HTCIA). | routinely make CLE presentations at law firms on topics relating to 


eDiscovery and digital forensics. 


. Asa result of my skill, experience, training, and education, | have expert knowledge in 


the area of computer forensics, specifically including the examination of electronic media, 
best practices related to forensic collection and analysis, and the recovery of deleted 


data. 


. AlixPartners is being compensated for my work at an hourly rate of $665, regardless of 


outcome. 
My full Curriculum Vitae can be found in the attached Appendix A. 
Throughout this report, for the sake of clarity | will refer to Plaintiff, Ira Kleiman, as “IK” 


and Decedent, David Kleiman, as “DK”. 


EVIDENCE REVIEWED 
For this report | examined forensic images of fourteen hard drives and USB external devices 
that | understand had belonged to the decedent Dave Kleiman. For clarity and discussion 


purposes, | assigned a friendly identifier to each device, as shown below. 


9. The below table and attached Appendix B also provide additional identifying details on all 


fourteen devices reviewed for this report. 
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Friendly Device ID Device Serial Collection Method 
Identifier Number 
Device 1 Corsair Survivor Stealth DCA46D83A46D614E | Sent to AlixPartners by Plaintiff counsel 
TD Black USB thumbdrive Boies Schiller Flexner on March 15, 2019 


Device 2 Corsair Survivor Stealth 68A87A90A87A5C8E_ | Sent to AlixPartners by Plaintiff counsel 
TD Gray Blue USB Boies Schiller Flexner on March 15, 2019 









thumbdrive 

Device 3 Corsair Survivor Stealth D8BOBD66BOBD4BA | Sent to AlixPartners by Plaintiff counsel 
TD Gray Orange USB E Boies Schiller Flexner on March 15, 2019 
thumbdrive 


Device 4 “CEIC 2009” 2GB USB 78049557049518E8 Sent to AlixPartners by Plaintiff counsel 
thumbdrive Boies Schiller Flexner on March 15, 2019 
Device 5 Corsair Survivor Stealth 8AFB-1741 Sent to AlixPartners by Plaintiff counsel 
TD Gray Blue USB Boies Schiller Flexner on March 15, 2019 
thumbdrive 
Device 6 “ACIS” 2GB USB 0B10-7EDF Sent to AlixPartners by Plaintiff counsel 
thumbdrive Boies Schiller Flexner on March 15, 2019 
Device 7 Key USB thumbdrive 7004-0ABA Sent to AlixPartners by Plaintiff counsel 
Boies Schiller Flexner on March 15, 2019 
Device 8 Microvault Tiny USB 9034345034343B74 Sent to AlixPartners by Plaintiff counsel 
thumbdrive Boies Schiller Flexner on March 15, 2019 
Device 9 SanDisk Cruzer Micro USB | F892E54992E50CC6 | Sent to AlixPartners by Plaintiff counsel 
thumbdrive Boies Schiller Flexner on March 15, 2019 
Device 10 | Western Digital WDC WD-WX71A20K2955 Forensically collected by AlixPartners on 
WD7500BPVT-0 hard April 23, 2019 
drive 
Device 11 | Seagate ST9500325AS SVE1B6VT Forensically collected by AlixPartners on 
hard drive April 23, 2019 
Device 12 | Hitachi HTS72101 hard MPCZN2Y0GS007H Forensically collected by AlixPartners on 
drive April 23, 2019 


Device 13 | Western Digital WDC WD-WXMY0O8HR0O801 | Forensically collected by AlixPartners on 
WD3200BEKT-2 hard April 23, 2019 

Device 14 | Seagate ST9500420AS SVJO7GCY Forensically collected by AlixPartners on 
hard drive April 23, 2019 



























drive 
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10. The first three devices listed in the above table (“Device 1”, “Device 2”, and “Device 3”) 


will be referred to in this report as the “TrueCrypt Devices’. 


lll, QUESTIONS ASKED 


For this report | was asked to inspect the above devices and provide my expert opinion on 

the following: 

11.1 was asked to inspect all the devices and to identify any evidence that they may have 
been formatted or had a new operating system installed on then after April 26, 2013, the 
date of the decedent’s death. 

12. | was asked to identify any evidence of new file creation or file modification on any of the 
devices after April 26, 2013. 

13. Further, | was asked to render an opinion as to the impact of any identified activity and 
specifically whether the subsequent formatting, operating system installation, and file 
creation and modification permanently overwrote data previously existing on the devices 
and rendered it unrecoverable. 

14. Lastly, | was asked to explain how TrueCrypt encryption works, and whether there is any 
known way of gaining access to, or determining the contents of, any TrueCrypt-encrypted 
container files found on the TrueCrypt Devices without having the password or key to the 


containers. 
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IV. PROCESS AND PROCEDURES 


15. 


16. 


17. 


18. 


Prior to beginning my review, | confirmed that the fourteen forensic images in question 
had not changed since the time of the original forensic imaging. | performed a verification 
test using MDS hash protocols and compared the acquisition hash to the verification 
hash value. The test indicated that no changes had been made to the forensic images. 
Following forensic best practices, | utilized a Tableau hardware write blocker to avoid any 
inadvertent changes during my review of each of the forensic images. 

A “file system” is used on electronic storage media, such as a computer hard drive, to 
provide the rules for organizing and retrieving data on the media. File systems consist of 
files separated into groups called directories. Directories can contain both files and 
children directories (subdirectories). The file system establishes rules related to how file 
timestamps, such as created time and last modified time, are updated in response to 
various activities. Formatting a drive configures the device for use by placing a specific 
file system on the media. The New Technology File System (NTFS) and File Allocation 
Table (FAT) are two common file systems. 

The NTFS file system is a file system developed by Microsoft and is the default file 
system on Windows devices. A NTFS file system contains a database called the Master 
File Table (MFT) that contains at least one record for every file and folder on the NTFS 
volume. Each record contains details such as file attributes and references to the location 
of data blocks for the file. Sufficiently small files, called resident files, can be stored 
entirely within the MFT record. The created timestamp of various file system entries, 


such as the MFT, can indicate when a device was last formatted. 
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19. 


20. 


a. 


The FAT file system is a simple, legacy file system originally for use on floppy disks and 
later adapted for use on hard disk drives and other external media. The FAT file system 
family includes several variants, including FAT32 and FAT16. The FAT file systems have 
two main data structures: (i) a file allocation table (FAT) and (ii) directory entries. The 
FAT data structure has a list of entries that map to every data cluster on the file system 
and tracks which clusters are in use and which are “free” (available to be written to). 
Each file and directory on the file system are allocated a directory entry. These directory 
entries store details such as the file or folder name, size in bytes, and starting cluster 
address. This allows the FAT file system to find individual files among the clusters of data 
on a device. 

When a NTFS file system file is deleted, either by a user, a program, or the operating 
system, the file's associated MFT record is marked as free and available to be 
overwritten. This allows the file system to allocate another file to this record. However, 
the actual information stored within the MFT record, and the corresponding data 
contained elsewhere on the media (if applicable), are not immediately destroyed. The 
data is recoverable until it is overwritten by new data. 

When a FAT file is deleted, the first character of the directory entry is replaced by a 
special character entry, OxE5, which tells the operating system that the directory entry is 
available for use by a new entry. The entries in the File Allocation Table corresponding to 
the deleted file are set to zero to indicate that the associated data clusters are available 
for use. However, the actual data stored in the data clusters are untouched. Prior to 
rewriting data over the deleted information, forensic means can be attempted to recover 


old data. 
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22. When a user deletes data, any activity performed on NTFS or FAT formatted media, 
including creating new files, modifying existing files, and even background data writes 
executed by the operating system, has the potential to overwrite previously deleted MFT 
records and/or data blocks marked as available to be overwritten, rendering them 
unrecoverable. Continual use of a drive increases the likelihood that previously deleted 
“available” data is overwritten by new data and becomes permanently unrecoverable. 

23. There are several factors that can increase the likelihood that activity on a device 
overwrites previously deleted data that has not yet been overwritten: (i) the capacity of 
the media device, (ii) what percent of the drive’s allocated capacity is in use, or how “full” 
the drive is, (iii) the size of the new files written to the device, (iv) the size of the 
previously deleted files that are marked as available to be overwritten, and (v) the 
frequency with which new data is written to the device. 

24. As a drive is filled with active data and its allocated capacity approaches 100%, the more 
probable it is that previously deleted data will be overwritten. It is likely impossible that 
data that has been completely overwritten will be able to be recovered via standard 
forensic means. 

25. Some encryption software validates encrypted data by requiring specific headers be 
present prior to decryption. The deletion of an encrypted file or partition, and the 
subsequent overwriting of even a small portion of that encrypted data, can result in the 
entire file or partition becoming unreadable. 

26. Re-formatting a device partition that already contains an existing file system results in the 
destruction and elimination of data stored in the MFT or File Allocation Table, along with 


the references to file data stored elsewhere on the drive. When a drive is re-formatted, 
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ei. 


28. 


29. 


30. 


record values in the MFT and File Allocation Table are changed to zero. If a “quick 
format’ method is used to format the disk, the file data stored elsewhere on the disk is 
typically untouched and could potentially be recovered, if it is not overwritten with other 
data by subsequent activity and use. 

Installing an operating system is a massive operation and involves the creation of 
thousands of new files on a drive. These new writes fully or partially overwrite areas of 
the drive marked as available, greatly reducing the ability to recover previously deleted 
data. 

Details related to a Microsoft Windows operating system installation, including registered 
owner and install date, are stored in the device’s Windows registry at the time of the 
installation. 

| utilized Guidance Software’s EnCase Forensic Suite and Magnet Forensics’ AXIOM to 
inspect the forensic images and (i) record the date of last format for each device, as 
referenced from the created timestamp of various file system structures, (ii) record details 
related to operating system installation using values in the device’s Windows registry, (iii) 
record device attributes such as writable capacity and allocated percentage, and (iv) 
identify file system timestamps for active files and folders. 

The file created timestamp is typically the date and time that a specific file or folder came 
to exist on the file system, either from new creation or from being copied from another 
source. The file last modified timestamp is generally the date and time that a specific file 
or folder was last altered, either by a user, program, or operating system. Modifying a file 
or folder’s name or moving a file or folder within a file system (“cut and paste operation”), 


will usually not update the last modified timestamp. 
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3. 


32. 


33. 


34. 


File carving is a process used to identify whole or fragmentary data on electronic media 
without the assistance of the file system that originality created the data. | performed file 
carving on the devices by searching for known file headers and footers (e.g. series of 
characters identifying certain file types) within the “free” space on the devices. | extracted 
sections of data matching those known headers and footers, essentially recreating whole 
or partial deleted files. Data that was previously completely overwritten is unrecoverable 
and is not able to be recreated from the original physical media through file carving or 
any other means. 

| searched the resulting file carved data to identify any occurrences of Bitcoin public 
addresses or private keys. Bitcoin public addresses typically begin with a “1” or a “3” and 
are between 26-35 characters in length. Bitcoin private keys are typically represented in 
a "Wallet Import Format" which is represented using base58 encoding. | utilized a regular 
expression (a sequence of characters that define a search pattern) to search for data 
matching the pattern of a Bitcoin public address or private key. 

TrueCrypt is a discontinued free software encryption utility. TrueCrypt allows a user to 
securely encrypt data via a user specified password and/or keyfile(s). A keyfile is a 
normal electronic file whose content is combined with a password to unlock a TrueCrypt 
partition or container. 

A user can encrypt entire partitions or create a fixed-size container that can store data in 
an encrypted state. Within the encrypted dataset, the entire filesystem, including file 
names, free space, and metadata, is encrypted. The password and/or keyfiles used 


during creation would be required to subsequently unlock the encrypted data. The 
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software supports several encryption ciphers such as AES, Serpent, and Twofish. 
TrueCrypt was abandoned by its development team in May 2014. 

35. TrueCrypt encrypted containers and partitions do not have a standard header (e.g. series 
of characters identifying certain file types), and the underlying encrypted data appears as 
completely random characters, which renders reliable identification impossible without 
knowledge of the password. However, by default, TrueCrypt containers are created with 
a logical size (bytes) divisible by 512. 

36. The results of my inspection are listed below in Section V and in the attached Appendix 


B. 


V. CONCLUSIONS 


37. On each of the three TrueCrypt Devices, | identified a folder with the name “TrueCrypt”. 
Within these folders is what appears to me to be an encrypted container file. TrueCrypt 
files are known to have a logical file size that is divisible by 512. They also frequently are 
devoid of a file header indicating the file type, and when viewed will show what is 
seemingly random data. Over the course of my career | have inspected thousands of 
these types of files. Here the file containers are consistent with other TrueCrypt container 
files | have observed. Each have a logical size divisible by 512, do not have a known 
header, have seemingly random underlying data, and reside in a folder named 
‘TrueCrypt’. | am unable to access, unlock, or determine the contents of these encrypted 
containers and, barring access to the password, which is currently unknown to me, the 
only remaining option for attempting to access their content is to perform a brute-force 


password attack. Executing a brute-force attack against a TrueCrypt volume or container, 
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particularly one where complex authentication methodology was used, would take an 
extraordinary amount of computing power and potentially decades to complete. For this 
reason, it is considered to be a practical impossibility. 

38. | identified one file recovered through file carving with a public bitcoin address. The file is 
not a bitcoin artifact, but instead appears to be a “To Do List” text file with assorted notes. 
The bitcoin public address is preceded by the phrase “is this a satoshi address?” in the 
text file. | did not identify any valid Bitcoin private keys. Any additional data that was 
previously completely overwritten is unrecoverable and is not found in the file carved 
data population. 

39. | also identified partitions on the following devices that | believe to be fully or partially 
encrypted. This conclusion is based on the fact that these partitions either do not 
possess a known header and/or have seemingly random underlying data. Without 
knowledge of the encryption scheme in use and the password, | am unable to access, 
unlock, or determine the contents of these potentially encrypted partitions and cannot 
discern what information they contain. 

a. Device 12 
b. Device 13 


c. Device 14 


40. | identified that the following devices were formatted after April 26, 2013, based on the 
created timestamps of various file system structures: 
a. Device 6 


b. Device 9 
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c. Device 11 


d. Device 14 


41.1 identified that the following devices had an operating system installed on them after 
April 26, 2013, based on values stored within each device’s Windows registry: 
a. Device 10 


b. Device 11 


42. | identified that the following devices had active data added or modified after April 26, 


2013, based on file created and last modified timestamps: 


a. Device 1 
b. Device 2 
c. Device 3 
d. Device 4 
e. Device 5 
f. Device 6 
g. Device 7 
h. Device 8 
i. Device 9 
j. Device 10 
k. Device 11 
|. Device 13 


m. Device 14 
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43. | identified that the following devices also had active data added to them after October 1, 


2018, based on file created timestamps: 


a. Device 1 
b. Device 2 
c. Device 3 
d. Device 4 
e. Device 5 
f. Device 6 
g. Device 7 
h. Device 8 
i. Device 9 
j. Device 10 
k. Device 11 


44. |n total across all fourteen devices, | identified that at least 106 GB of active files and 
folders were added or modified after April 26, 2013. 

45. The actions | identified in this report, specifically the formatting and installation of 
operating systems, are acts that permanently overwrote data previously existing on the 
devices rendering it permanently unrecoverable. As such we will never be able to know 
the content of this overwritten information. These actions also potentially rendered any 
encrypted partitions or containers that were on these devices prior to formatting and 


installation of operating systems permanently unrecoverable, even if we had or could 


14 04/10/2020 


Case 9:18-cv-80176-BB Document 5 & & \eniFFed-an FLSD Docket 06/01/2020 Page 16 of 18 


uncover the passwords or keys to decrypt them. Without these, and possibly even with 
them, we will never be able to discern what information the devices with encrypted 
containers or partitions held. 

46. The attached Appendix B provides additional details on the devices reviewed for this 


report. 


VI. RESERVATION OF RIGHTS 


47.\| reserve the right to modify or supplement this report if | become aware of any 
misstatements or if | become aware of other data or evidence relevant to my opinions. 
48. | reserve the right to respond to any statements made by the Plaintiff or his witnesses or 


his expert witnesses. 


Dated: April 10, 2020 Washington, D.C. 
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APPENDIX A 
CURRICULUM VITAE 
OF 
Nicholas J. Chambers 


Senior Vice President, AlixPartners, LLP, Washington, D.C. 


B.S., Computer Engineering and Computer Science 


University of Southern California 


Mr. Chambers has almost a decade of experience in information 
technology and as a forensic investigator. He has experience with 
forensic collections of digital evidence, forensic analysis, and several 
programming languages, including C++, Java, and scripting tools. 


Mr. Chambers has provided digital forensic consulting and 
electronic discovery services in hundreds of civil and criminal 
matters. Prior to joining AlixPartners, he consulted at a leading 
electronic discovery firm on digital forensics engagements. 


Mr. Chambers has performed a variety of services related to 
computer forensics and investigations. A sample of these include: 
e Defensible forensic collection of ESI 
e Examination of electronic media 
e Best practices related forensic collection, evidence handling, and 
forensic analysis 
e Recovery of deleted data 
e Examination of encrypted data 
e Filtering and searching for responsive documents 
e Client site assessment of ESL assistance with identification 
of items potentially responsive to eDiscovery obligations 
e Creation of custom script and programming solutions 


High Technology Crime Investigation Association (HTCIA) 


EnCase® Certified Examiner (EnCE), Guidance Software 


CCE Certification in Progress 
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Nicholas J. Chambers 


PAGE 2 
ADDITIONAL FOR585: Advanced Smartphone Forensics, The SANS Institute 
TRAINING AND FOR518: Mac and iOS Forensics Analysis and Incident Response, The 


EDUCATION SANS Institute 


EnCase Advanced Computer Forensics, Guidance Software 
EnCase Forensic 8: Program Review, The SANS Institute 
Memory Acquisition Tools and Techniques, The SANS Institute 
HTCIA 2018 International Conference Seminars, HTCIA 
HTCIA 2015 International Conference Seminars, HTCIA 
HTCIA 2013 International Conference Seminars, HTCIA 


EXPERT Orta v. Orta 

WITNESS Case Number: 155377 FL 

TESTIMONY Court: Circuit Court for Montgomery County, Maryland 
Type: Deposition 
Date: 01/04/2019 
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